The commander of the U.S. Cyber Command said on Wednesday that critical infrastructure like power grids and financial networks are weak and need to be strengthened against cyber attacks.
"From my perspective, the threats are real and growing," said Army Gen. Keith Alexander, who heads the Cyber Command as well as the electronic intelligence-gathering National Security Agency.
"You only have to look at the distributed denial of service attacks that we've seen on Wall Street, the destructive attacks we've seen against Saudi Aramco and RasGas to see what's coming at our nation," he said. "We need to act, and we need to act now. That time for action is now, and this executive order takes a step in implementing that action."
Alexander spoke with other government officials at the Commerce Department on Wednesday. He was commenting on Presidential Policy Directive-21 (PPD-21), on protecting critical U.S. infrastructure from both cyber and physical attacks.
"America must also face the rapidly growing threat from cyber attacks," President Barack Obama said announcing the order in the State of the Union speech Tuesday night.
"Now, we know hackers steal people's identities and infiltrate private emails," he said. "We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems."
The order gives the Department of Homeland Security and its secretary, Janet Napolitano, authority to lead inter-agency efforts to identify threats to critical infrastructure, which are mostly owned by private entities.
The executive order is the latest U.S. government effort to coordinate fragmented agencies in dealing with increasingly sophisticated cyber attacks from both criminals and nation states, notably China and Russia.
Alexander said the order seeks to improve information sharing between government and industry as well as "hardening" networks against attacks.
Alexander said better information sharing would not be enough to protect the networks in electrical power, financial, transportation, and other critical infrastructure.
"Our infrastructure is fragile," he said. "When you look at the amount of problems that we have, we also have to look at how we harden it, how do we bring together that. This executive order sets up a process for government and industry to start to address this problem."
Alexander called the executive order "only a down payment on what we need to address the threat."
"This executive order can only move us so far, and it's not a substitute for legislation," he said. "We need legislation, and we need it quickly to defend our nation."
The Washington Free Beacon first reported last week that the Department of Energy was targeted in a sophisticated cyber attack that sought sensitive information and compromised personal data on several hundred DOE employees and contractors.
The attack followed disclosures by the Wall Street Journal, the New York Times, and the Washington Post that they had been hit by Chinese-origin cyber attacks.
Earlier, U.S. banks had their networks disrupted by sophisticated cyber attacks that U.S. officials say were orchestrated by Iranian government agents.
Alexander said the PPD-21 creates a voluntary process for industry and government to share information.
"In particular, where so much of the critical infrastructure owned and operated by the private sector, the government is often unaware of the malicious activity targeting our critical infrastructure," Alexander said.
"These blind spots prevent us from being positioned to help the critical infrastructure defend itself, and it prevents us from knowing when we need to defend the nation. The government can share threat information with the private sector under this executive order and existing laws."
The order gives the government eight months to demonstrate an infrastructure threat reporting system.
"A real-time defensive posture for our military's critical networks will require legislation that removes barriers to public sharing of attacks and intrusions into private-sector networks," Alexander said.
The four-star general said Cyber Command is planning an expansion and new force structure.
The command protects Pentagon networks and will support combatant commands in waging cyber warfare in future conflicts.
Cyber Command spokesman Rivers Johnson said the reorganization is based on "an increasing threat of a cyber attack that could be as destructive as the terrorist attack on 9/11—one that would virtually paralyze the nation."
The Pentagon recognizes the danger and is urgently working on policies and structures to carry out the command’s mission.
"Accordingly, DoD is working closely with the combatant commands and U.S. Cyber Command to develop the optimum force structure for successfully operating in cyberspace within the authorities and requirements of the department," Johnson said.
"We will continue to provide effective capabilities to meet the nation's defense requirements in cyberspace while constantly seeking to recruit, train, and retain world class cyber personnel."
The new force structure will include Cyber National Mission Forces, Cyber Combat Mission Forces, and Cyber Protection Forces with specific roles and responsibilities.
"While the basic cyber force structure model is clear, the implementation plan to achieve it is still being developed and is pre-decisional at this time," Johnson said.
The new structure will include both defensive and offensive forces that can conduct cyber attacks against enemies, one of the command’s more secret roles.